*** This bug is a security vulnerability *** You have been subscribed to a public security bug by Marc Deslauriers (mdeslaur):
The current version of Wordpress shipped with Ubuntu 11.10 appears to be out of date, and is likely to have known security flaws. The current version produced by upstream is available in Debian unstable, and I think there's a good case to be made that a StableReleaseUpgrade policy exception to upgrade the package should be made on security grounds... but at the very least 3.3 should be pipelined for 12.04 and 3.0.6 should be released for all supported versions of Ubuntu. 1) The version shipped with 11.10 is 3.0.5+dfsg-1ubuntu1, last updated in February according to the changelog in /usr/share/doc/wordpress. 2) Upstream has since released 3.0.6, last updated in April according to file timestamps in the tarball. It's described as a ***mandatory security update*** per [1], but there are no bugs associated with the release in trac so it's hard to tell what exactly was fixed without diffing the releases. 3) Upstream has also since released 3.1 in Feb, 3.2 in July, and 3.3 is scheduled in November. Are these being considered for inclusion in new versions of Ubuntu? There are no Ubuntu bugs that I can find documenting the decision to stay back. All I can find is [5] documenting the availability of 3.2 in Debian sid. 4) Is the Ubuntu release practice consistent with upstream's maintenance policy? I've checked [2], [3], and [4] and cannot find any indication the wordpress team commits to providing security fixes for anything but the current/stable version of wordpress (3.2 at the moment). Every 3.1.x release is marked as fixing security vulns, is it really true that none of them apply to 3.0.x or is upstream just not checking to see if new reports apply to the 3.0.x series and not releasing fixes for that series anymore? [1] http://codex.wordpress.org/Changelog/3.0.6 [2] http://codex.wordpress.org/FAQ_Security [3] http://codex.wordpress.org/Submitting_Bugs [4] http://wordpress.org/download/ [5] http://packages.debian.org/sid/wordpress ** Affects: wordpress (Ubuntu) Importance: Undecided Status: New -- Wordpress is out of date, possibly vulnerable to exploitation https://bugs.launchpad.net/bugs/883955 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
